Simple title, complex issue. Username-password (U/P) schemes are the oldest form of authentication on the net, and many agree they are getting weaker all the time. The cause of this weakness is human nature with regards to how you go about managing passwords you can remember. We go around the net reusing the same username and in many cases the same weak password. This has two parts to it in my mind the human side and the technical side.
Why do users insist on using the same password over and over? Well for a practical reason our memory is limited as to what it can hold and recall when necessary. One could take the Bruce Schneier approach and write U/P pairs on a post-it not held in your wallet to address some of this. This still leaves the possibility for weak passwords and password reuse, not to mention a stolen or lost wallet resulting in the reset shuffle (password reset requests over email). Any non-security minded user likely will not differentiate passwords usage either. What I mean by that is the passwords for use in say financial transactions have a different gradient than those used for email and they too are a different gradient from sites that hold little or no personal information. Most users know their financial transactions are more sensitive but differentiate how they generate passwords for those example categories.
[Partially shameless plug, skip at your convenience] One of the solutions I use for this is somewhat similar to Bruce, but not on a post-it in my wallet and I also employ differentiation. I use KeePass, a free and open source password vault. Passwords I want to readily remember for general use or type-able (not stored) on my mobile are ones I can remember and type at will. For more sensitive actions I use the vault in KeePass. This allows me to set passwords with the maximum length supported by a site and enforce their maximum rules for complexity, thus I get a really ugly human-readable password I can’t remember. When I need it I put in my thumb drive, load the key and pass phrase for the vault and access the password. These tend to be less often accessed and sites that hold my most sensitive data (think banking). As soon as I am done with the password I close the program and safely remove the drive to minimize possible attacks. I also have passwords for sites I use rarely and don’t want to devote biological memory too.
Sites continue to use and ask for passwords on the concept that they want to tailor the service for us or differentiate service to a groups of customers. This makes sense to me, but why my local paper would need this so the stories I want to see are in a particular order does not (cookies work fine in this limited sense for my thinking). The real bottom line is sites and applications continue to use this paradigm because users are comfortable with it and it has very low friction even if it is somewhat broken. Two possible solutions to this are OpenID and Information Cards (IC). I am not going to get deep into the technicals here, there are much better experts than I. What I am intrigued by is how little adoption both have. From a practical standpoint I have tried both, I really don’t like OpenID, the use of URIs, it’s weakness from an identity provider standpoint and just general implementation make it an unattractive solution for the general audience in my mind although at the moment it has good support from Yahoo!, Google and a few others.
What really perplexes me is that I see IC as the clearly better solution here but it’s use is highly limited. The real force behind IC is Microsoft, are they so hated that a good solution doesn’t gain traction? Admittedly they aren’t really using it either (minimal use at Hotmail, which now also appears dead) and a small number of managed providers is likely not helping. I get lots of what I think people want (think Laws of Identity) and an interface I think most users can relate to.
So readers help me out here and comment. Am I barking up the wrong tree? Are we doomed to a continued use of U/P schemes? Will authentication privacy be the wave of future security focus?